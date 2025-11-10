Version: 18.x

Machine & Workload Identity with Server Access

Teleport protects and controls SSH access to servers. Machine ID can be used to grant machines secure, short-lived access to these servers.

In this guide, you will configure tbot to produce credentials that can be used to access a Linux server enrolled in Teleport. The guide will cover access using the Teleport CLI tsh as well as the OpenSSH client.

A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: TELEPORT_DOMAIN= teleport.example.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



If you have not already connected your server to Teleport, follow the getting started guide.

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

, then verify that you can run commands using your current credentials. For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and command, you can use your current credentials to run subsequent commands from your workstation. If you host your own Teleport cluster, you can also run commands on the computer that hosts the Teleport Auth Service for full permissions. tbot must already be installed and configured on the machine that will connect to Linux hosts with SSH. For more information, see the deployment guides.

First, Teleport must be configured to allow the credentials produced by the bot to connect to SSH servers in your infrastructure. In this example, access will be granted to all SSH nodes for the username root . This is done by creating a role that grants the necessary permissions and then assigning this role to a Bot.

Create a file called role.yaml with the following content:

kind: role version: v6 metadata: name: example-role spec: allow: logins: [ 'root' ] node_labels: '*': '*'

Replace example-role with a descriptive name related to your use case.

You may also wish to adjust this to grant access to a user other than root depending on what commands will need to be executed with the credentials.

For production use, you should adjust node_labels to restrict this access to only the hosts that the bot will need to access. This is known as the principle of least privilege and limits the damage that exfiltrated credentials can do.

Use tctl create -f ./role.yaml to create the role.

tip You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit.

Now, use tctl bots update to add the role to the Bot. Replace example with the name of the Bot you created in the deployment guide and example-role with the name of the role you just created:

tctl bots update example --add-roles example-role

Now, tbot needs to be configured with a service that will produce an SSH certificate and OpenSSH configuration. For this we use the identity output service type.

Output services must be configured with a destination. In this example, the directory destination will be used. This will write these credentials to a specified directory on disk. Ensure that this directory can be written to by the Linux user that tbot runs as, and that it can be read by the Linux user that needs to use SSH.

Modify your tbot configuration to add an identity service:

services: - type: identity destination: type: directory path: /opt/machine-id

If operating tbot as a background service, restart it. If running tbot in one-shot mode, it must be executed before you attempt to use the credentials produced by tbot to connect to nodes via SSH.

Once tbot has been run or restarted, you should now see several files under /opt/machine-id :

identity : this is a bundle of credentials that can be used by tsh to authenticate.

: this is a bundle of credentials that can be used by to authenticate. ssh_config : this can be used with OpenSSH and other tools to configure them to use the Teleport Proxy Service with the correct credentials when making connections.

: this can be used with OpenSSH and other tools to configure them to use the Teleport Proxy Service with the correct credentials when making connections. known_hosts : this contains the Teleport SSH host CAs and allows the SSH client to validate a host's certificate.

: this contains the Teleport SSH host CAs and allows the SSH client to validate a host's certificate. key-cert.pub : this is an SSH certificate signed by the Teleport SSH user CA.

: this is an SSH certificate signed by the Teleport SSH user CA. key : this is the private key needed to use the SSH certificate.

These credentials can be used with Teleport's CLI tsh or with OpenSSH client tools like ssh and sftp .

To use tsh with a tbot identity service the path to the identity file must be specified using the -i flag. In addition, --proxy must be used to specify the address of the Teleport Proxy Service that should be used when making connections.

In this example, tsh is used to connect to a node called my-host via the proxy example.teleport.sh:443 and to execute the command hostname :

tsh -i /opt/machine-id/identity --proxy example.teleport.sh:443 ssh root@my-host hostname my-host

To use OpenSSH with the identity service, the path to the ssh_config should be provided to ssh with the -F flag.

With the generated ssh_config you must append the name of the Teleport cluster to the name of the node - in this example, the command hostname is executed as root on the node my-host belonging to the cluster example.teleport.sh .

warning The ssh_config for OpenSSH requires that tsh is installed. This is necessary as tsh is used to make the OpenSSH client compatible with Teleport's port multiplexing.

To integrate with other SSH tools, first determine whether the ssh_config is compatible with them. This is the case for many tools such as Ansible and the guidance provided under "Connecting using OpenSSH" should be sufficient.

If you wish to integrate with Ansible, check out the Ansible-specific guide.

If your tool is not compatible with ssh_config , it may still be possible to configure it to use the credentials produced by Machine ID. It must support SSH client certificates and either ProxyCommand or ProxyJump functionality.